Read Key Vault value in policy with Azure API Management

Question

Is it possible to read value saved in Key Vault, or Key Vaulted value in Named Values?

Managed Identities have been enabled in APIM, and Secrete is created in Key Vault.

<policies>
    <inbound>
        <base />
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Error:" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
            <openid-config url="https://xxx" />
            <audiences>
                <audience>read it from Key Vault, or KeyValted value in Named Values</audience>
            </audiences>
            <issuers>
                <issuer>https://openid-connect-eu.onelogin.com/oidc</issuer>
            </issuers>
        </validate-jwt>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

The links below seem relevant, but I wonder if there is simpler code, like a one line of code that used for Azure Functions.

https://madeofstrings.com/2019/06/13/azure-api-management-key-vault-and-managed-identities/

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-use-managed-service-identity

Whatever mentioned in the links are the best possible options. Setting PIM as managed identity and access key vault api. — Silly John
Initially, I was looking for a simplier solution. I need to verify if it works and mark the answer. — Pingpong

Md Farid Uddin Kiron Md Farid Uddin Kiron · Accepted Answer · 2019-07-18T06:08:53

We can not use the same way to get Azure key vault secret with Azure function. We need to use MSI to get access token then use key vault api to get the secret with the token. For more details, please refer to the document and the link

Configure MSI

2.Set access policy in Azure Key Vault

  Set-AzKeyVaultAccessPolicy -VaultName "your valut name" -ResourceGroupName "your group name" -ObjectId "the principal id you copy" -PermissionsToSecrets get, list, set, delete

Configure policy

<send-request mode="new" response-variable-name="responseObj" timeout="30" ignore-error="true">
           <set-url>https://YOUR_KV_HOST/secrets/SEC_NAME/SEC_ID?api-version=7.0</set-url>
           <set-method>GET</set-method>
           <authentication-managed-identity resource="https://vault.azure.net" />
</send-request>
//with this process done , response obj will be setted into context . 

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Error:" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
            <openid-config url="https://xxx" />
            <audiences>
                <audience>@((string)((IResponse)context.Variables["responseObj"]).Body.As<JObject>()["value"])</audience>
//Get value from responeObj in context
            </audiences>
            <issuers>
                <issuer>https://openid-connect-eu.onelogin.com/oidc</issuer>
            </issuers>
</validate-jwt>

Read Key Vault value in policy with Azure API Management

1 Answers